The Internet Society


One of the greatest wonders of this world is not a crumbling edifice, nor is it a towering monolith; rather, it is the throbbing, pulsating mesh of circuitry referred to as the Internet.

The beauty of the Internet (sometimes referred to as "the net") is visible not just at the primal architectural level (the basic paradigm is chopping data up into little packets and sending the packets separately across a coaxial cable and reassembling these packets at the other end---that this simple idea works so well is a wonder in and of itself), but also at an intermediate level (the existence of lucid protocols such as SMTP, message routing, NFS, ...), and at the social level.

The latter level is what will be addressed most in this posting. By "social" (I hate this word!), I mean the level at which users interact with the net. This can involve transferring of files, creating virtual sessions, obtaining information, and inter-personal activities such as exchanging e-mail and using TALK to communicate. The big advantage of the Internet is that it is real-time. That is, whatever the exchange of data that takes place, it is instantaneous. The potential of such a faculty is enormous and to this date, it has almost always been used to its fullest. However, a disturbing change in attitude has manifested in the social structure of the net.

The social structure of the Internet is anarchistic. Power is highly localised to a domain (in my case nist.gov) or sub-domains (carb.nist.gov) or even hosts (iris1.carb.nist.gov). System administrators at a given domain/host have as much power as any other administrator across the net. The Internet flourishes mainly due to the cooperation of the local nodes. In fact, even for compilation of the Internet's size, SRI international relies on the cooperation of system administrators. It is difficult to appreciate how much it truly relies on simple trust and openness. The protocols and the programs that make the Internet (FTP, Telnet, SMTP) are based on forbearance. A lot of tools we see today used to navigate the net were made possible simply because of this leniency of access (users without privilege could write sophisticated programs and experiment with various aspects of the net). Changing this will not only dissuade development of better software, but will also make the net into a travesty of what it currently is.

Take for example the way the protocol works as it transfers data across the net. A packet of information is usually sent to ALL machines in a LAN before it gets to the outside world. The only thing that prevents this data from being accessed "illegally" is a "gentleman's agreement". It is at this place that security is most lax. Changing this would change the basic design of how the Internet works, and if implemented inefficiently (I see no way how this could be done in an efficient manner), it would make it a slower network. The beauty of the Internet is based on the fact that transmission of data can happen in a simple, uninhindered manner.

Why should one want to change it? There has been a lot of hype about security (or lack thereof) on the net. People lament the rising "crime rate" and loss of open collaboration. Some of it is undeniably true. However, it has existed from the time the ARPAnet shelved off to form the Internet. At that time, the people using the net knew how to take care of themselves. With rising population, the Internet's security has become a factor. But the Internet rose because of its lax and free-flowing nature (the decline of the more rigorous network, the BITNET, is an example that illustrates that flexibility flourishes). The problem is visible mainly because of the incompetence of system administrators: Any security problem can be handled best by simply configuring a system correctly. Even AIX (IBM's Unix), which is so bug ridden, can be made into a secure system at a certain cost (of accessibility). But, the more you want to be part of the net, the less privacy you have.

There are two sorts of individuals whose ideas are destructive to the very nature of the net. The first are those who claim that extra security (and some of their ideas involve an entire restructuring of the net) in the form of encryption schemes, etc., are the answer to the net's problems. My response is that if you wish to be protected, it's easy enough; people have been doing this for ages. Set up firewalls, remove complete access to the net, and set up layers of machines to shield yourself from the net. But no, these people aren't content with having THEIR system secure---they wish to impose their inane ideas on the rest of the net.

The classic example of this, of course, is the Clipper chip and SKIPJACK encryption scheme which supposedly guarantees "secure communication", but the government has the privilege to monitor this communication anytime. As John Perry Barlow has put it, "trusting the government with your privacy is like trusting a Peeping Tom to install your window blinds." (If you are interested in more information on this proposal and how you can oppose it, let me know.)

Any general scheme like the above is very unrealistic because it entails the cooperation of all the people across the net. Instead, the paranoid people can take steps to protect their systems as much as they want. Eventually, the local user community, if incensed enough, will rebel, or find alternative measures, in order to gain access to the net (from personal experience, this HAS happened). But the important thing is that security lies in configuration. You can protect your house adequately if you are willing to invest in a lot of alarm systems and locks, but you shouldn't force this unrealistic view on everyone else around the world. This approach, approved by a few, is held in contempt by most of the net and in the current forseeable future will NOT happen.

Most of the Internet protocols are very open: the SMTP protocol is one example where one can fake e-mail messages in an instant (as demonstrated here---I could be president@whitehouse.gov). But this is the same openness which, I believe, has resulted in us having very cool mail packages such as pine or elm. NFS is another protocol that weakens a system's security to a great extreme. Can you implement NFS with so much security (such as encryption, etc.) and have it still be efficient? I don't think so. Gopher servers are another security risk, but only if improperly configured. With the right set of locks, your machine can indeed exist reasonably securely on the net. The net, and its simplicity should not be compromised for human misdemeanors.

But why do we need locks in the first place? Why can't everything be open? This brings us to the sort of individuals abusing the net. These are unemployed morons who have nothing better to do than to waste the net's resources in several ways. These are the sort of people who indulge in MUDs and IRC. While the latter does have potential, what it is now is best emphasised by what Bobby wrote me once:

"... I hope it haunts you till the day IRC actually turns into a real medium, not some combination of losers, net-junkies, net-surfers, role-players and "I'm wiredom I'm cool" freaks."

This could also apply to those who MUD and the ones who attempt to crack machines. The security holes are there! What are they trying to prove? The fact remains that most people of this sort don't appreciate the net. This is part of a letter I read in the U. Magazine:

"...The power of GOPHERS and other data access tools are restructuring the way we get info. Not to mention the fun things like e-mail (even to the president!), IRC servers, netTREK, and other net-based games."

It clearly shows this person's inclination of how the net should be used. Net-based games are expensive and cost the whole net. IRC, well, it is a medium that could be used for better purposes, but it is a loss right now. I say all this because it is this attitude that is prevalent among those who steal passwords and exploit other system's weaknessess (this is different from those finding out how to do it and then not doing it).

Commercialisation also brings the need for security. As long as the net is used to simply exchange ideas, it is reasonable to expect that most people would not be interested in forging addresses, etc. But now you can order merchandise over e-mail! There's economic incentive involved. While I am not sure about how this should be handled, it can't be denied that commercialisation (in any form, including "selling" access the net, allowing for business transactions, etc.) brings in people whose motives aren't in the best interests of the net. With the system the way it is, you can't keep these people out and I doubt if this is the solution.

In the past, there was an automatic filter---you had to do something special (goto colllege, work in a big enough company, etc.) in order to gain access to the net. This was appreciated and thus the people who used it were less prone to abuse it. These days, for $40 a year, a modem and a computer, you have access. When it becomes so easily available, people start taking it for granted.

To summarise, people who cry about security should mind their own business and properly configure their systems. The same people who whine so much are those who have a single system manager for a hundred networked computers. This is clearly bound to cause problems. There is NOTHING that can't be made secure with existing protocols---provided you are willing to pay the price of less access to the net. I would also argue that there is NOTHING one can do to have completely access to the net and STILL have the privacy one wants.

The root of the problem, however, is with users who have no respect for the wondrous nature of the net. While this is simply human nature, encouraging a healthy respect towards what the net can do, for both those who believe in making the net so rigid that nothing gets done, and those who intend to "harm" the net, is the way to go.


References


Pseudo-intellectual ram-blings || Ram Samudrala || me@ram.org